From c8b1091548382d295b06ff70aff8f7c456fb86ab Mon Sep 17 00:00:00 2001
From: Kiara Grouwstra <kiara@procolix.eu>
Date: Fri, 4 Jul 2025 19:23:41 +0200
Subject: [PATCH] allow consuming attic cache from ci runner

---
 default.nix                                   |   1 +
 infra/common/nixos/default.nix                |   8 +++
 .../dev/forgejo-ci/forgejo-actions-runner.nix |  49 +++++++++++++++++-
 secrets/attic-ci-token.age                    | Bin 0 -> 1745 bytes
 secrets/secrets.nix                           |   1 +
 5 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 secrets/attic-ci-token.age

diff --git a/default.nix b/default.nix
index 70c5aaf5..513dfd12 100644
--- a/default.nix
+++ b/default.nix
@@ -64,6 +64,7 @@ in
         pkgs.httpie
         pkgs.jq
         pkgs.nix-unit
+        pkgs.attic-client
         test-loop
         nixops4.packages.${system}.default
       ];
diff --git a/infra/common/nixos/default.nix b/infra/common/nixos/default.nix
index 71b08426..9d9f994d 100644
--- a/infra/common/nixos/default.nix
+++ b/infra/common/nixos/default.nix
@@ -24,6 +24,14 @@ in
     experimental-features = nix-command flakes
   '';
 
+  nix.settings = {
+    substituters = [
+      "https://attic.fediversity.net/demo"
+    ];
+    trusted-public-keys = [
+      "demo:N3CAZ049SeBVqBM+OnhLMrxWJ9altbD/aoJtHrY19KM="
+    ];
+  };
   boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;
diff --git a/machines/dev/forgejo-ci/forgejo-actions-runner.nix b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
index bb6928cc..4b13d854 100644
--- a/machines/dev/forgejo-ci/forgejo-actions-runner.nix
+++ b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
@@ -1,8 +1,20 @@
-{ pkgs, config, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  sources,
+  ...
+}:
 
 {
   _class = "nixos";
 
+  imports = with sources; [
+    (import "${home-manager}/nixos")
+    "${vars}/options.nix"
+    "${vars}/backends/on-machine.nix"
+  ];
+
   services.gitea-actions-runner = {
     package = pkgs.forgejo-actions-runner;
 
@@ -44,4 +56,39 @@
 
   ## For the Docker mode of the runner.
   virtualisation.docker.enable = true;
+
+  vars.settings.on-machine.enable = true;
+  vars.generators."templates" = rec {
+    dependencies = [ "attic" ];
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.gnused
+    ];
+    script = lib.concatStringsSep "\n" (
+      lib.mapAttrsToList (template: _: ''
+        cp "$templates/${template}" "$out/${template}"
+        echo "filling placeholders in template ${template}..."
+        sed -i "s/${placeholder}/$(cat "${config.age.secrets.wiki-password.path}")/g" "$out/${template}"
+      '') files
+    );
+
+    files."attic.toml" = {
+      secret = true;
+      template = pkgs.writeText "attic.toml" ''
+        default-server = "fediversity"
+
+        [servers.fediversity]
+        endpoint = "http://localhost:8080"
+        token = "${config.vars.generators.attic.files.token.placeholder}"
+      '';
+    };
+  };
+
+  home-manager = {
+    users.gitea-runner.home = {
+      stateVersion = "25.05";
+      file.".config/attic/config.toml".source =
+        config.vars.generators."templates".files."attic.toml".path;
+    };
+  };
 }
diff --git a/secrets/attic-ci-token.age b/secrets/attic-ci-token.age
new file mode 100644
index 0000000000000000000000000000000000000000..60fafd04c7b0552bb9f30c0a9902be92ab27e0ef
GIT binary patch
literal 1745
zcmZY6dr%Vx0>^PV?Fc!0rwBe;rWeI))f_IHY)ArL%aUx~A%twQn+#R++-#EF&4WDA
z8PQf4N-bim#j8B(jUZ|ds#0r};-eyhR_hgNg;tc~#9AmKimk}q{mcFL`|mTq`C14^
zhJ&^RV!mRMq1Q110tkbwjMv%0pew^+=kocWh^_S5xFF27hxA;RGtaN!!BUS?sWftV
z>JSp87;QY1>C})0#;A{YY(i~B!4ms<j?4h;w;2PH2!)}z*v`c~NYrgWqo7V<w0l84
zs*5n{LTI*@2M2{Zn5_zXqol}6E9FKUQ3kzYsl~!@<gu(s$f9wW1%M??X8mu`1WO2r
zj35R_f(V%v@uTv%Qe!B9?63e7;$oWx2Him$DJk~SeA8@=aq4I<!4}vUFC{LZgE2cs
zIiM_#EfgUH5(Kfjykf>rsBx4qn+zhKT*FcsA#TuYHS$QF#wqff0zn|IfW%o+P!o{(
z4ACIU3;1D!g?7NRHL*763&U*M56E~XZ#-Xa<?wVgj4Fdt0VgkRixnUMmFW$6u?WX*
zA~8(I;@He^NMY85eF`X3YBoo7F0(cg26zTaN%H|W;B>iAMv>2GHM2D?9zcl*TQ4Au
zQc4d2JgF)!E0Cx#N&=e#5TS-tK9f6cl!O&7(xEb9CKi?_lDlxZ3FX6PsSK5XPEuA_
zC@&UMf{@39dp(py&zGyU+}QtVmWa|JhuMK*59$HK1`z}c3JeZ`Cf^TvGUE`b^b3?=
z!0Xf!8aWuii*bVGD8wl(9nfbXnJ{ERpiG8eNCLr7A*zAmb~Qh0=J;h%z;00oXMYn)
z6$nqq&PNSajPh&apw?wkSv+Q0EZ}s-^oYn7;`7yUJTCC)g%lKz>R3|R?2WoapvNcE
zA})IrR)#^5Mvu4(^Zh8`Af?5y2oOU8zWTr2GBVhCjFUs*AgObs1%4xqOEA)?q-flL
zna%MCW|af-sF{KYEl0s(f7Y0}z`*pu6S!}J+;)F-*YMR*!b-o}woo`yy|}Aqc~jF3
zanbQb9VcFCzKv%uYM(o}1ba<bv7jz@03TR3bY^h;*Q3>sSoO4RqM_^?aneh?KIWnO
za>b!*Gn-Q6z|~m1(DtqUF)}gs>d;7O|M6r?>CSIkVey)C+Aj<vUmZ}GDxbCEd*sS}
zJCWfB7n>7n8~*kMF_V8;{n22~y*l}=l0n%`YsFumrtWxeB5Cu-uc%&b+&X?{dTQ1E
z!SM3*25J??49zLE7j(C7{#|>kW=jj$@xpu0Ypc0WPF)B(%`MnDUeRM;^||D!(XL~u
z>kmC@9~(U(`a}I^pC4P<*}JCVuB3nF%X!21)P{upC2NMWk&P>VP~{%(hEskzm@U2V
zNrrGi)bEQ-t)AW>{p8;C_`D%(=wfng#oH?fm$Ysx$GSgH*W+b>-(LDwo~3R*pHu&2
z*xEaGvTrl8dgVVhypelk$)!wfLcApHhY{6Os$|Rj{nKy3@XZfvGd8^mq&!%X%N_W2
zUKQ`fOTXy9FWdDbxaq**!gj$6CS0@r60v9F9HhyWd<GIcX-FMvyt(R6!QC%fu%8Lv
z;-tG@AL&^<34Y`+-`-hXpO(YaJlpzUP$MjF@nxmue&zkM^MtkQ1MDf@t$TiQ;Fo<z
zZn)>Y@%y#!3`h?=YA!I09V{ZI<$cSWHon>QPWy$sznx!}USxC=`8h*Nb<vI@bUK|N
z%C=tVJbO64mics9c5m9Us+O4Q=(}Y9?nN1ORl0SC_n-ZH#P!|tuKB4c4%_~$>ZH}D
z691BNE3dYxapA(_BjpWyBsHP7^pmC;RDQhQqkSECT<Lzex5v?~KD$%#^vC;?o!SoK
z>S+Cko>i^!9M2)^!U<-4PDxd9Py6Ez>#mYJjl9IU7b)r7iT7VNSBi7@pW4$6xK0n-
z`*%c!m!^&!t$gWl!N;x9l*HWD>+7E0)o^}Jo8nFOcT^_KpYy?$Pq+Sym$=tj_1ZOL
zWH0BpGxf%z@8LV1XXFO=9W-%1_v@~j*3r?TnU3!Ey0IVcz%^}Gj(umJJYVYEZ4f>j
zPd*>M9l4x#T8(TWM^1i2Q@d(wWViZr%5KR!*Cw_W)2rLy1nbf!)9u>a?HjWV*E=eD
zrC+|PTY>ExXg)3J>OAWm{HgKAitHo3+a}{ZMAE(fQ_w%JNqlV@*0vr3ZBFR><Bok2
Jf6MiQ{{gQ0;yVBU

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 88d1bb03..4b368f30 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -24,6 +24,7 @@ concatMapAttrs
     ## are able to decrypt them.
 
     {
+      attic-ci-token = [ forgejo-ci ];
       forgejo-database-password = [ vm02116 ];
       forgejo-email-password = [ vm02116 ];
       forgejo-runner-token = [ forgejo-ci ];